From: Tom Yu Date: Mon, 24 Oct 2016 18:05:41 +0000 (-0400) Subject: Update features list for 1.15 X-Git-Tag: krb5-1.15-beta2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc1909ae1cfbb93d15fcfd1bfb878a92309475a3;p=thirdparty%2Fkrb5.git Update features list for 1.15 (cherry picked from commit 6872044bb52fdbbcbb965fe5dcb3e1da2755ae82) ticket: 8510 version_fixed: 1.15 --- diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst index cdcb04f870..b4e4b8b9b7 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -19,8 +19,8 @@ Quick facts License - :ref:`mitK5license` Releases: - - Latest stable: http://web.mit.edu/kerberos/krb5-1.14/ - - Supported: http://web.mit.edu/kerberos/krb5-1.13/ + - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/ + - Supported: http://web.mit.edu/kerberos/krb5-1.14/ - Release cycle: 9 -- 12 months Supported platforms \/ OS distributions: @@ -80,8 +80,6 @@ Starting from release 1.8: `Heimdal` -* Support for reading Heimdal database starting from release 1.8 - * Support for KCM credential cache starting from release 1.13 Feature list @@ -261,6 +259,56 @@ Release 1.14 full resync, and do not require two full resyncs after the master KDC's log file is reset. +Release 1.15 + +* Administrator experience: + + - Add support to kadmin for remote extraction of current keys + without changing them (requires a special kadmin permission that + is excluded from the wildcard permission), with the exception of + highly protected keys. + + - Add a lockdown_keys principal attribute to prevent retrieval of + the principal's keys (old or new) via the kadmin protocol. In + newly created databases, this attribute is set on the krbtgt and + kadmin principals. + + - Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + + - Add DNS auto-discovery of KDC and kpasswd servers from URI + records, in addition to SRV records. URI records can convey TCP + and UDP servers and master KDC status in a single DNS lookup, and + can also point to HTTPS proxy servers. + + - Add support for password history to the LDAP back end. + + - Add support for principal renaming to the LDAP back end. + + - Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + +* Code quality: + + - Clean up numerous compilation warnings. + + - Remove various infrequently built modules, including some preauth + modules that were not built by default. + +* Developer experience: + + - Add support for building with OpenSSL 1.1. + + - Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + +* Protocol evolution: + + - Add support for the AES-SHA2 enctypes, which allows sites to + conform to Suite B crypto requirements. + `Pre-authentication mechanisms` - PW-SALT :rfc:`4120#section-5.2.7.3`